Difference between revisions of "GLKVM Reverse Proxy"
(Created page with "This is for configuring GLKVM behind an Apache reverse proxy. There are some details online about this in their [https://forum.gl-inet.com/t/kvm-behind-a-reverse-proxy/6137...") |
|||
| Line 9: | Line 9: | ||
What I did was run a program from crontab, not great, but it works. | What I did was run a program from crontab, not great, but it works. | ||
| − | '''make a ssh key using the drop bear utility.''' | + | # '''make a ssh key using the drop bear utility.''' |
| − | '''Make this script /root/sshtunnel.sh''' | + | #2 '''Make this script /root/sshtunnel.sh''' |
This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. | This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host. | ||
Revision as of 13:30, 6 October 2025
This is for configuring GLKVM behind an Apache reverse proxy.
There are some details online about this in their forum here, but it's for NGINX only. As this is based on the pikvm, there's some examples of this, but not 100% working. My setup also uses SSH to punch an outbound to my server
SSH proxy
I wanted to use something like https://wiki.w9cr.net/index.php/Secure_Tunnel_Service on this, but they don't use systemd, and I can't modify the inittab as it's on an overlay filesystem.
What I did was run a program from crontab, not great, but it works.
- make a ssh key using the drop bear utility.
- 2 Make this script /root/sshtunnel.sh
This will ssh to host.org as kvm, so you'll need to setup an account there and ensure ssh key login works. Also ensure 34505 and 34506 ports are not in use on the host.
#!/bin/sh
PIDFILE="/tmp/sshtunnelpid"
if [ -e "${PIDFILE}" ] && (ps -u $(whoami) -opid= |
grep "^\s*$(cat ${PIDFILE})$" &> /dev/null); then
echo "Already running."
exit 99
fi
ssh -y -K 60 -NT kvm@host.org -i /root/.ssh/dropbear_id_ed25519 -R 34505:127.0.0.1:22 -R 34506:127.0.0.1:443 &
as root add this in your crontab (crontab -e)
* * * * * /root/sshtunnel.sh > /dev/null
This will now restart this every min and if it's running, exit.
Apache config
This is the config for your domain in apache. Note that this needs to be a root, you can't use like domain.com/kvm as the files are hard linked to /
<VirtualHost kvm.example.com:443>
ServerName kvm.example.com
ServerAdmin me@you.org
RewriteEngine On
ProxyPreserveHost On
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
ProxyPass / https://127.0.0.1:34506/ ProxyPassReverse / https://127.0.0.1:34506/ RequestHeader set "X-Forwarded-Proto" expr=%{REQUEST_SCHEME} RequestHeader set "X-Forwarded-SSL" expr=%{HTTPS} RewriteCond ${HTTP:UPGRADE} ^WebSocket$ [NC] RewriteCond ${HTTP:CONNECTION} ^Upgrade$ [NC] RewriteRule .* wss://127.0.0.1:34506/%{REQUEST_URI} [P,L]
ProxyPass /extras/webterm/ttyd/ws wss://127.0.0.1:34506/extras/webterm/ttyd/ws
ProxyPass /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
ProxyPassReverse /extras/webterm/ttyd/ https://127.0.0.1:34506/extras/webterm/ttyd/
<Location /api/ws>
Order allow,deny
Allow from all
ProxyPass wss://127.0.0.1:34506/api/ws
ProxyPassReverse wss://127.0.0.1:34506/api/ws
</Location>
<Location /janus/ws>
Order allow,deny
Allow from all
ProxyPass wss://127.0.0.1:34506/janus/ws
ProxyPassReverse wss://127.0.0.1:34506/janus/ws
</Location>
</VirtualHost>
